Will Shutdown of Microsoft XP Leave Users Vulnerable?

Consumers, businesses and municipalities across the country now are under pressure to replace or upgrade their computers or suffer ever-increasing security risks.

by Jessica Hall, McClatchy News Service
/
April 7, 2014

When Microsoft pulls the plug Tuesday on its Windows XP desktop operating system, about 10 percent of the city of Portland’s computers will become more vulnerable to data breaches and other security concerns.

Those computers are among hundreds of millions that continue to operate with Windows XP despite several months of warnings by Microsoft that it would discontinue security updates and technical support services for its still-popular legacy operating system.

Consumers, businesses and municipalities across the country now are under pressure to replace or upgrade their computers or suffer ever-increasing security risks. Those at-risk systems include 95 percent of U.S. bank ATMs, which still are running Windows XP, according to a report by Retail Banking Research.

The expiration of support for Windows XP also means that software publishers will stop developing applications that are compatible with the operating system, despite research that shows Windows XP remains the second-most-used desktop operating system in the world.

“The time has come for us, along with our hardware and software partners, to invest our resources toward supporting more recent technologies so that we can continue to deliver great new experiences,” Microsoft said in a news release. The Redmond, Wash.-based company released Windows XP on Dec. 31, 2001.

Even though Microsoft has been warning ever since 2007 that the end was looming, Windows XP still represented 18.6 percent of all desktop operating systems as of March 2014, behind Windows 7, which held the top spot with nearly 55 percent, according to research firm StatCounter. Windows 8, the operating system Microsoft has been promoting since last year, lags behind with just 7.9 percent of desktops installed.

The city of Portland has been working over the past year to replace its computer systems in time for Tuesday’s end-of-life deadline for Windows XP. About 100 of the 1,000 computers used by city staff need to be upgraded and replaced, city spokeswoman Jessica Grondin said, adding that those systems are scheduled to be replaced under the Fiscal Year 2015 budget.

The remaining computers running Windows XP will be monitored closely by the city’s information technology department, she said.

“If they detect any problem, they can deny the access to the network,” Grondin said. “They have the tools in place that a computer can be removed from the network and protected on a moment’s notice.”

Still, security experts said anyone running Windows XP faces vulnerability from cyberattacks or malware, short for malicious software, which is developed or used by attackers to disrupt computer operations, gather sensitive information, or gain access to private computer systems.

“Organizations that continue to use XP past end-of-life endanger their customers, employees and communities, which may result in costly security, compliance and liability issues,” Sari Greene, founder of Sage Data Security in Portland, wrote in a newsletter to clients.

Between 2001 and 2013, more than 760 critical Windows XP security vulnerabilities were found and more than 2,000 security patches were issued in response, according to Sage Data Security.

“There is no question that criminals will continue to develop malware to exploit Window XP weaknesses. What is different is that there will be no corresponding fix,” Greene said. “We know that those with malicious intent will continually scan company networks for weaknesses. An end-of-life operating system like Windows XP is an open invitation to launch an attack, which may result in a costly breach.”

Continuing to run an unsupported operating system could result in legal liability, as well as denial of insurance coverage for companies, Greene said.

Other data experts said most consumers and small businesses have minimal risk, and that fears of a security breach are overblown.

“It’s not a really big deal at all unless you’re a gigantic company. It’s not a Y2K moment where people fear the computer world will come to an end,” said Patrick Doyle, owner of Cold Coast Web Solutions in Portland. The “Y2K bug,” a programming glitch that prevented some computers’ clocks from differentiating between the years 1900 and 2000, caused widespread fear that computer systems controlling everything from financial institutions to airlines would break down.

Thanks in part to proactive efforts to fix the bug, virtually nothing went wrong on Jan. 1, 2000.

Consumers using Windows XP, who have been getting pop-up messages on their computers from Microsoft for weeks warning them about the deadline, have a lot of questions about what will happen on April 8, computer experts said.

“Every single day, we have people coming in with questions,” said Jesse Kidder, supervisor of the Geek Squad at South Portland’s Best Buy store, who holds the title deputy of counter intelligence. “The biggest fear people have is whether their computer will still work after April 8. Your computer won’t die or explode, but as far as security, you won’t be protected anymore.”

The last time Microsoft pulled the plug on a major system was when Windows 2000 support ended in 2010. In addition to Windows XP, other programs set for end-of-life deadlines include Office 2003, Exchange Server 2003, SharePoint Portal Server 2003, Small Business Server 2003 and Windows Server 2003 R1.

Kidder said most customers are opting for a new computer or tablet rather than risking a security breach by keeping Windows XP.

While the United Kingdom government paid Microsoft nearly $9.3 million (£5.6 million) for a one-year deal for custom end-of-life support, most consumers, businesses and municipalities can’t afford such an arrangement and need to come to terms with the deadline.

Upgrading to Windows 7 ranges in cost from about $69 for “home premium” editions to more than $200 for Windows 7 “ultimate.”

“It’s kind of like ripping a Band-Aid off. You just have to do it,” Kidder said. “As far as technology is concerned, there are so many options now. There’s not a better time to be doing this.”